We have updated our cookie policy. We use cookies to ensure that we give you
the best experience on our website. This includes cookies from third party social media websites and advertising. Such third party
cookies may track your use of this site.

The attack leverages a downloader called Nemucod, which is delivered via Facebook Messenger as a .svg file.

The usage of SVG (Scalable Vector Graphics) files, is important. SVG is XML-based, meaning a criminal can embed any type of content they want – such as JavaScript. In this case, JavaScript is exactly what the attackers embedded.

If accessed, the malicious image will direct the victim to a website that appears to be YouTube in design only, as it’s hosted on a completely different URL.

Once the page is loaded, the victim is asked to install a codec in order to play the video that’s shown on the page.

If the codec (presented as a Chrome extension) is installed, the attack is this spread further via Facebook Messenger. Sometimes the malicious Chrome extension installs the Nemucod downloader, which ultimately delivers Locky.

The attack seems to have variations, so it isn’t clear if there is more to it than rogue extensions and downloaded Ransomware.

“As always, be wary when someone sends you just an 'image' - especially when it is not how he or she would usually behave,” Blaze wrote in a blog post.

Both Google and Facebook have been made aware of the attacks. Salted Hash has reached out to Facebook for comment, we'll update this story should they respond.

A Facebook spokesperson sent the following - "We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook, and we are already blocking these ones from our platform. In our investigation, we determined that these were not in fact installing Locky malware—rather, they were associated with Chrome extensions. We have reported the bad browser extensions to the appropriate parties."